DHS Officials Won’t Name States Affected by 2016 Election Hackers

Officials from the Department of Homeland Security today disclosed that hackers spied on the election networks of 21 states in 2016 but, to the frustration of some members of the Senate Intelligence Committee, they refused to name the states. “When an entity is a victim of a cyber intrusion, we believe very strongly in protecting the information around that victim,” Jeanette Manfra, acting DHS deputy undersecretary for cybersecurity and communications, told the committee. “We believe it is important to protect the confidentiality that we have and the trust that we have with that community,” Ms. Manfra said.

Samuel Liles, acting director of the cyber division in DHS’s Office of Intelligence and Analysis, described the activity of the hackers as “scanning for vulnerabilities.” In a smaller number of states, the potential intruders tried to penetrate systems. In an even smaller number, data was exfiltrated, he said.

Only two states, Arizona and Illinois, have been identified as victims of an intrusion during the run-up to the 2016 presidential election. Some lawmakers, including Sen. Mark Warner (D., Va.), vice chairman of the Intelligence Committee, have sought additional information.

“I do not believe our country is made safer by holding this information back from the American public,” he said at today’s hearing. “We’ve seen this for too long in cyber where people try to just sweep this under the rug.”

Ms. Manfra also would not say how many state election networks had data stolen from them. “I prefer not to go into those details in this forum,” she said. But she insisted that officials in all of the affected states were aware of any cyber attacks on their systems — an assertion that was met with skepticism by Sen. Warner.

“Within those 21 states, I have no guarantee that their election officials are aware that they may have been attacked,” he said. Sen. Warner yesterday wrote to DHS Secretary John Kelly seeking more information about which states were affected (TR Daily, June 20).

The DHS officials at today’s hearing said they remained confident in the intelligence community’s assessment that Russian government operatives conducted the cyber attacks as part of an “influence operation” to undermine confidence in the U.S. electoral system and damage former Secretary of State Hillary Clinton’s campaign for the presidency.

They also stood by official assessments that hackers did not change any votes. But they said the Russian government was likely to meddle in U.S. elections again. “I believe the Russians will absolutely continue to conduct influence operations in the U.S.,” said Bill Priestap, assistant director of the FBI’s counterintelligence division. “Its election-related activity wasn’t a one-time event.”

Mr. Priestap told the committee that hackers had stolen voter data from some state networks but said he was unsure what they intended to do with it. “They could use the data in a variety of ways,” he said. “Unfortunately in this setting I can’t go into all of them.”

He speculated that Russian operatives might have taken the data “to understand what it consisted of” and to “plan accordingly” for future operations.

Sen. Richard Burr (R., N.C.), the committee’s chairman, said he hoped his committee’s investigation of 2016 election interference would help find ways to prevent such activity in the future. “In 2016 we were woefully unprepared to defend and respond,” he said. “I’m hopeful that we will not be caught flat-footed again.”

But the committee has heard conflicting opinions on what needs to be done. In January, former DHS Secretary Jeh Johnson designated election systems as critical infrastructure — a decision that meant state election officials could request federal help to secure their systems and engage in more robust sharing of information about cyber threats.

But under Secretary Kelly, DHS is considering reversing Mr. Johnson’s decision because of resistance from some states. The National Association of Secretaries of State decided, on a bipartisan basis, to oppose the designation, according to Connie Lawson, the association’s president-elect and Indiana’s Secretary of State.

“Setting up a hastily-formed subsector of critical infrastructure around elections isn’t going to make us more secure,” Ms. Lawson told the Intelligence Committee today. “If the designation reduces diversity, autonomy, and transparency in state and local election systems, the potential for adverse effects from perceived or real cyber attacks will likely be much greater and not the other way around.”

The good news from today’s hearing is that national elections in the U.S. involve a hodgepodge of so many different types of software and hardware administered by so many different agencies, that changing vote tallies in a meaningful way would be difficult. It would be “nearly impossible” for that to occur without detection, Mr. Liles said. —Tom Leithauser, tom.leithauser@wolterskluwer.com